Protocol-independent settings

Allow ICMP errors from the destination to the source

– ICMP error messages are sent

in several situations: for example, when an IP packet cannot reach its destination. The

purpose of these error control messages is to provide feedback about problems in the

communication environment.

However, ICMP error messages and firewalls are usually not a very good combination; the

ICMP error messages are initiated at the destination host (or a device within the path to the

destination) and sent to the originating host. The result is that the ICMP error message will be

interpreted by the firewall as a new connection and dropped, if not explicitly allowed by the

firewall rule-set. Now, allowing any inbound ICMP message to be able have those error

messages forwarded is generally not a good idea.

To solve this problem, DFL-200 can be instructed to pass an ICMP error message only if it

is related to an existing connection. Check this option to enable this feature for connections

using this service.

ALG

– Like other stateful inspection based firewalls, DFL-200 filters on information found

in packet headers, for instance in IP, TCP, UDP and ICMP headers.

In some situations though, filtering on header data only is not sufficient. The FTP protocol,

for instance, includes IP address and port information in the protocol payload. In these cases,

the firewall needs to be able to examine the payload data and carry out appropriate actions.

DFL-200 provides this functionality using Application Layer Gateways, also known as ALGs.

To use an Application Layer Gateway, the appropriate Application Layer Gateway

definition is selected in the dropdown menu. The selected Application Layer Gateway will thus

manage network traffic that matches the policy using this service.

Currently, DFL-200 supports two Application Layer Gateways, one is used to manage the

FTP protocol and the other one is a HTTP Content Filtering ALG. For detailed information

about how to configure the HTTP Application Layer Gateway, please see the Content Filtering

chapter.

42

VPN

Introduction to IPSec

This chapter introduces IPSec, the method, or rather set of methods used to provide VPN

functionality. IPSec, Internet Protocol Security, is a set of protocols defined by the IETF,

Internet Engineering Task Force, to provide IP security at the network layer.

An IPSec based VPN, such as DFL-200 VPN, is made up by two parts:

•

Internet Key Exchange protocol (IKE)

•

IPSec protocols (ESP)

The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on

which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE

is used to manage connections, by defining a set of Security Associations, SAs, for each

connection. SAs are unidirectional, so there will be at least two SAs per IPSec connection.

The other part is the actual IP data being transferred, using the encryption and authentication

methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways;

by using the IPSec protocol ESP.

To set up a Virtual Private Network (VPN), you do not need to configure an Access Policy

to enable encryption. Just fill in the following settings: VPN Name, Source Subnet (Local Net),

Destination Gateway (If LAN-to-LAN), Destination Subnet (If LAN-to-LAN) and Authentication

Method (Pre-shared key or Certificate). The firewalls on both ends must use the same Pre-

shared key or set of Certificates and IPSec lifetime to make a VPN connection.

Introduction to PPTP

PPTP, Point-to-Point Tunneling Protocol, is used to provide IP security at the network

layer.

A PPTP based VPN is made up by these parts:

•

Point-to-Point Protocol (PPP)

•

Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)

•

Microsoft Point-To-Point Encryption (MPPE)

•

Generic Routing Encapsulation (GRE)

PPTP uses TCP port 1723 for it's control connection and uses GRE (IP protocol 47) for

the PPP data. PPTP supports data encryption by using MPPE.

Introduction to L2TP

L2TP, Layer 2 Tunneling Protocol, is used to provide IP security at the network layer.

An L2TP based VPN is made up by these parts:

•

Point-to-Point Protocol (PPP)

•

Authentication Protocols (PAP, CHAP, MS-CHAP v1, MS-CHAP v2)

•

Microsoft Point-To-Point Encryption (MPPE)

L2TP uses UDP to transport the PPP data, this is often encapsulated in IPSec for

encryption instead of using MPPE.

Point-to-Point Protocol

PPP (Point-to-Point Protocol) is a standard for transporting datagram’s over point-to-point

links. It is used to encapsulate IP packets for transport between two peers.

PPP consists of these three components:

•

Link Control Protocols (LCP), to negotiate parameters, test and establish the link.

•

Network Control Protocol (NCP), to establish and negotiate different network

layer protocols (DFL-200 only supports IP)

•

Data encapsulation, to encapsulate datagram’s over the link.

To establish a PPP tunnel, both sides send LCP frames to negotiate parameters and test

the data link. If authentication is used, at least one of the peers has to authenticate itself

before the network layer protocol parameters can be negotiated using NCP. During the LCP

and NCP negotiation optional parameters such as encryption, can be negotiated. When LCP

and NCP negotiation is done, IP datagram’s can be sent over the link.

44

Authentication Protocols

PPP supports different authentication protocols, PAP, CHAP, MS-CHAP v1 and MS-

CHAP v2 is supported. Which authentication protocol to use is negotiated during LCP

negotiation.

PAP

PAP (Password Authentication Protocol) is a simple, plaintext authentication scheme,

which means that user name and password are sent in plaintext. PAP is therefore not a

secure authentication protocol.

CHAP

CHAP

(Challenge Handshake Authentication Protocol)

is

a challenge-response

authentication protocol specified in RFC 1994. CHAP uses a MD5 one-way encryption

scheme to hash the response to a challenge issued by the DFL-200. CHAP is better then

PAP in that the password is never sent over the link. Instead the password is used to create

the one-way MD5 hash. That means that CHAP requires passwords to be stored in a

reversibly encrypted form.

MS-CHAP v1

MS-CHAP v1 (Microsoft Challenge Handshake Authentication Protocol version 1) is

similar to CHAP, the main difference is that with MS-CHAP v1 the password only needs to be

stored as a MD4 hash instead of a reversibly encrypted form. Another difference is that MS-

CHAP v1 uses MD4 instead of MD5.

MS-CHAP v2

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 1) is more

secure then MS-CHAP v1 as it provides two –way authentication.

MPPE, Microsoft Point-To-Point Encryption

MPPE is used is used to encrypt Point-to-Point Protocol (PPP) packets. MPPE uses the

RSA RC4 algorithm to provide data confidentiality. The length of the session key to be used

for the encryption can be negotiated. MPPE currently supports 40-bit, 56-bit and 128-bit RC4

session keys.

L2TP/PPTP Clients

General parameters

Name

– Specifies a name for

the PPTP/L2TP Client.

Username

-

Specify

the

username

to

use

for

this

PPTP/L2TP Client.

Password/Confirm

Password - The password to use

for this PPTP/L2TP Client.

Interface IP

.

-

Specifies if the

L2TP/PPTP Client should try to

use a specified IP or get one from

the server.

Remote Gateway

- The IP

address

of

the

PPTP/L2TP

Server. To connect to

Dial on demand

is used

when the tunnel should only be used when needed, if diabled the tunnel will always try to be

up.

Authentication protocol

Specify

if,

and

what

authentication protocol to use,

read more about the different

authentication protocols in the

Authentication

Protocol

Introduction

chapter.

MPPE encryption

If MPPE encryption is going to

be

used,

this

is

where

the

encryption level is configured.

If L2TP or PPTP over

IPSec

is going to be used it has to be

enabled and configured to either

use a Pre-Shared Key or a

Certificate.